How to Stay Secure on Slack

If you’re already on the Slack bandwagon, then you have probably experienced first-hand how it can make communications between teams far simpler and more streamlined. With 1.7 million daily active users, it’s clear Slack has come to dominate the team chat world, especially in tech and tech-savvy industries.

From a security perspective, Slack has done a solid job of keeping its assets on lock. In 2016, they scored Geoff Belknap from Palantir to become chief security officer. And they have been pretty transparent about their approach to security. They have dedicated a whole section of their website to it and published interviews with Belknap and others that delve into Slack’s precautions and philosophy around security. Belknap says, “My job is to worry. Professionally. So that our customers don’t have to.” We love that attitude!

The company has also gone to the trouble of certifying many of its products to meet stringent compliance regulations like FINRA, HIPAA, and SOC 2 and 3, which makes it a no-brainer for small teams and enterprises alike.

So, we feel that it’s perfectly possible for companies of all shapes and sizes to lean on Slack for team chat and ops without worrying too much about security. But, we also believe in the shared responsibility model when it comes to any form of online security. No one’s perfect, and Slack’s ubiquity and popularity mean that it will always be a target for cybercriminals looking to steal information.

There’s no need to run scared, but you do need to be smart about how you use this valuable tool. Here are our tips for running Slack securely at your organization.

Require Two-Factor Authentication

Slack’s included security precautions won’t do you much good unless you actually put them into practice. One great example is two-factor authentication (or 2FA). It’s up to team owners and admins to require this of their users (otherwise, it will be optional, and most users won’t bother). We strongly suggest that you take advantage of this feature, which makes it much harder for hackers to tap into your organization’s Slack channels. Need some help getting started?

Set Up User Provisioning and Deprovisioning

Organizations today need to think about and work around insider threats. This includes employees who leave the company, whether on their own terms or due to an incident.

To ensure that you do not have any “lurkers” who might be able to take advantage of company information shared on Slack after they have left the company, it’s a good idea to plan ahead for user provisioning and deprovisioning.

In fact, this should be built into your process for onboarding and offboarding employees, just like it would be for email or any other company asset. If possible, you should automate the process, so that the moment someone leaves the company, they no longer have access to Slack. For your reference, here’s Slack’s guide to provisioning and deprovisioning users.

Don’t Share Secrets

Slack is a great place to have secure conversations, but that doesn’t mean you should treat it like it’s watertight. Never use Slack to share secrets such as passwords, sensitive customer data, or valuable corporate IP. Anything highly confidential should be kept off the platform. A good rule of thumb is this: If a piece of information could be dangerous in a hacker’s hands, it doesn’t belong on Slack. Instead, use encrypted communication channels, like PGP-enabled email.

Educate Users

None of the tips above will do your organization any good if no one knows about them. So make sure that you regularly educate your users about steps they need to take to stay secure while using Slack (like never sharing passwords there). You should hold user security training whenever new employees come on board, and also make sure to do a refresher now and again with the entire company.

Additionally, if you change up security protocols around tools like Slack, make sure that employees are given a head’s up and reminded when new measures go into effect so they know what to expect. Remember: The best offense is a good defense.

Your security operations likely include members of the DevOps team as well as dedicated security folks, and Slack can help all team members integrate security into their workflows seamlessly. For example, since my focus is on DevOps, I rarely log into the Threat Stack platform directly. However, any relevant alerts or notifications will come my way via Slack, where I can review them and quickly decide whether further action is needed — all without having to step outside of my daily workflow. This means security tasks don’t pose an extra headache, but are just a natural part of the way our company’s operations run.

Don’t Slack on Security

Slack is a great platform with all kinds of benefits for teams. As long as you take the right security precautions, there’s no reason why it can’t be used to its full potential on your team, whether you’re a small shop or a multinational enterprise. As with any other tool, the shared responsibility model is key. Take responsibility for your half of the security equation, and you should be well on your way to a secure Slack implementation.

As Threat Stack's Senior Director, Operations & Support, Pete is focused on delivering the highest level of service, reliability, and customer satisfaction to Threat Stack's growing user base. An industry veteran with over 20 years' experience in DevOps, Pete understands the challenges and issues faced by security, development, and operations professionals everyday and how we can help. Prior to Threat Stack, Pete held senior positions at Dyn and Sonian where he built, managed, and developed automation and release engineering teams and projects.